WMF - Microsoft's bleeding Achille's Heel

Malicious software that exploits an unpatched vulnerability in Windows is now the most widely reported threat online - and the company won't repair it until next week!

By
Robert McMillan
, | 04 Jan 06

Malicious software that exploits an unpatched vulnerability in Windows is now the most widely reported threat onlone, though it doesn't appear to be widely infecting corporate customers, according to McAfee.

In late December, hackers posted code that took advantage of the way Windows processes graphics files in the WMF (Windows Metafile) format, and that software is now being distributed in easy-to-use tools for creating malicious software that can be used to take over an unprotected computer, said Craig Schmugar, virus research manager with McAfee.

Although most security vendors, including McAfee, already protect their customers from this malicious software, an undetermined number of users are still at risk. WMF is the format used for clip-art in Microsoft's ubiquitous Office application.

Redmond's slow response unit

Microsoft has said it will not fix the underlying problem until next Tuesday, giving attackers a whole week in which to cause more damage.

About 7 per cent of McAfee users have been exposed to malicious files that exploit the WMF vulnerability, Schmugar said.

ScanSafe Services reports that about 15 per cent of its customers are being exposed to WMF malware, according to Dan Nadir, vice president of product strategy. "It looks like it's being spread either through email images or though ads that are on sites that users are browsing," Nadir said. "There's a lot of variation. It looks like there's more than 50 unique variations of this threat that we've seen."

Instant messages that contain links to maliciously encoded WMF images are also being used to spread the malware, according to security researchers.

Neither Schmugar nor Nadir could say how many PCs have actually been infected by the vulnerability, but experts said it did not appear to be disrupting corporate users, who are typically protected by antivirus software.

"As far as we're concerned, the threat is being vastly overblown," said Russ Cooper, editor of the NTBugtraq mailing list and a scientist at security vendor Cybertrust. "It's not being massively exploited."

Just two months ago, Microsoft fixed three other problems with the way Windows processes WMF images, and those vulnerabilities were not widely used with any success, Cooper said: "We've had image rendering problems in the base operating system for a long time, and still nothing massive has happened."